Re: [marf] Including Mail fields in IODEF

"Panos Kampanakis (pkampana)" <> Fri, 01 March 2013 21:52 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3934721F8D6D; Fri, 1 Mar 2013 13:52:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id wGBhYlaOSU3F; Fri, 1 Mar 2013 13:52:32 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 36D6F21F8D66; Fri, 1 Mar 2013 13:52:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=3535; q=dns/txt; s=iport; t=1362174752; x=1363384352; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=DUFu3ziD9oZ9Fmwrtzt9XqUKgKXkelnjGzCUKCgnE/Y=; b=l71bu5l/tdo2Y7ZfQUhiXlsb7DlsIgUKEEEyeBRW3LEuJDfiIHmi6k0p fwRe7+EBaHfMbixSCIEBTbkuMfKSnBCbuWmPikF/+vJfAv1SvFQxlnPZ3 U2qSwNGvPLzbZXVMOTeqE1tbvL+mJXltWUk9YNDqtvLcTpGPTsIPnQtBA M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="4.84,762,1355097600"; d="scan'208";a="179847234"
Received: from ([]) by with ESMTP; 01 Mar 2013 21:52:31 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id r21LqVX1013508 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 1 Mar 2013 21:52:31 GMT
Received: from ([]) by ([]) with mapi id 14.02.0318.004; Fri, 1 Mar 2013 15:52:31 -0600
From: "Panos Kampanakis (pkampana)" <>
To: "Moriarty, Kathleen" <>, "" <>, "" <>
Thread-Topic: Including Mail fields in IODEF
Thread-Index: AQHOEBvuagQSHFBhb0e+qysbcbjrmZiRbEJg
Date: Fri, 1 Mar 2013 21:52:31 +0000
Message-ID: <>
References: <>, <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Sun, 03 Mar 2013 01:05:41 -0800
Subject: Re: [marf] Including Mail fields in IODEF
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Message Abuse Report Format working group discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 01 Mar 2013 21:52:33 -0000

I think MARF provides more functionality and should be leverage for emails in IODEF.
I also think we need to resurrect within MILE since MARF was concluded..

-----Original Message-----
From: [] On Behalf Of Moriarty, Kathleen
Sent: Thursday, February 21, 2013 5:19 AM
Subject: [mile] Including Mail fields in IODEF


Cross posting with MAIL and MARF - 

In MILE related work, I have come across use cases that would like to include DKIM and SPF information in addition to specific mail fields (like the ones Chris lists below).  We would like some help to figure out the best approach.  Should we embed ARF and MARF RFC extensions to accommodate this need or should we look at updating RFC5901?  Both take the approach of including an email message as opposed to using XML to tag each field and allow for this in the data model (in my opinion, that is fine and reduces bloat, but there may be other opinions).

There was a draft published last year (link included below) that includes MARF in an IODE extension.

From: Harrington, Christopher
Sent: Wednesday, February 20, 2013 2:57 PM
To: Moriarty, Kathleen;
Subject: RE: Mail fields

I'm for the simplest solution as always. These are the indicator types that we routinely share. I would use these as a base:

Email address (denoting if it is to or from) Email Subject Email attachment name Email attachment hash X-Mailer (from header) Hyperlink in email

It's also very common to share the whole header. Bad guys routinely forge them and put extra header items that can be used as indicators.  Although not an indicator sharing the entire email as an .eml or .msg file is also pretty common.



-----Original Message-----
From: [] On Behalf Of Moriarty, Kathleen
Sent: Wednesday, February 20, 2013 2:58 AM
Subject: [mile] Mail fields


In looking at the updated rfc5070bis and coming across some requests for handling certain types of exchanges, I am curious to hear how others think we should handle mail related indicators and incidents.  A couple of commonly exchanged fields were added into the Record class.  You can still extend out using RFC5901 and include a full mail message, but if you wanted to include DKIM or Sender Policy Framework, you need something else.  The IETF group MARF already solved these issues.

MARF uses the email tags rather than XML and there was a draft that embedded MARF content into IODEF (contains an example), can be found here:

Since mail is already marked and can be parsed, would this be a better option to use what MARF has already done to solve the question on how to exchange this data?  Other options would be to update RFC5901 or to extend IODEF further.  I prefer the use of MARF.  It is already in use by mail operators, so there is adoption.

mile mailing list
mile mailing list